Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Deployment docs? #20

Open
jantman opened this issue Dec 21, 2016 · 4 comments
Open

Deployment docs? #20

jantman opened this issue Dec 21, 2016 · 4 comments

Comments

@jantman
Copy link

jantman commented Dec 21, 2016

So... I think I really want to take this project for a spin, and possibly start using it at $WORK instead of raw awslimitchecker. We've been toying with the idea of adding support to open limit increase tickets automatically, but the fact that awslimits has a pretty UI and updates limit values by parsing tickets is pretty cool.

Would it be possible to get some docs - even just an unofficial quick explanation - of how you're deploying and running this?

Also, just for clarification, am I correct that:

  1. this currently only supports a single account, and
  2. sendgrid is the only supported email provider?

Thanks!
-jantman

@hltbra
Copy link
Contributor

hltbra commented Dec 22, 2016

Sorry for the lack of documentation, we'll work on that.

  1. Yes, it's single account for now
  2. Yes, sendgrid is the only supported email provider but it wouldn't be complicated to parametrize the send_alerts command

In regards to deployment, we have not published awslimits to PyPI yet (we only deployed it to our internal PyPI at Yipit, cc @spulec, @nadlerjessie), but the goal is to have it running like:

pip install awslimits gunicorn

export AWS_ACCESS_KEY_ID=<aws key>
export AWS_SECRET_ACCESS_KEY=<aws secret>
export REGION_NAME=<aws region, such as "us-east-1">
export [email protected],[email protected]
export [email protected]
export FROM_EMAIL_NAME='AWS Limit Alerts - <account nickname>'
export ROLE_ARN=arn:aws:iam::<account_id>:role/awslimits
export SENDGRID_API_KEY=<sengrid api key>

gunicorn awslimits.server:app -b localhost:8080

You can pip install the git repo with pip install git://github.com/Yipit/awslimits.git#egg=awslimits while it's not on PyPI.

If your account doesn't have enterprise support (can't use trusted advisor), export the env var PREMIUM_ACCOUNT=0.

We deploy our solution using AWS ELB with SSL on port 443-> nginx on port 80 + proxy_pass -> gunicorn bound to a unix socket. We run the gunicorn process using supervisord, but that's up to you.

It's required that you have an IAM role (I recommend the name awslimits) and export credentials to assume that role (AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY).

The IAM role should have the AWS managed policies ReadOnlyAccess and AWSSupportAccess (or simply support:DescribeCases), along with the necessary trust relationship to assume the awslimits role[1]. You will also need dynamodb permissions to read/write data[2].

[1]: Something like:

{
  "Sid": "ProdPermissions",
  "Effect": "Allow",
  "Principal": {
    "AWS": "arn:aws:iam::<account id>:<root or another user>"
  },
  "Action": "sts:AssumeRole"
}

[2]: Something like:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1481821456000",
            "Effect": "Allow",
            "Action": [
                "dynamodb:*"
            ],
            "Resource": [
                "arn:aws:dynamodb:us-east-1:<account id>:table/awslimits_tickets",
                "arn:aws:dynamodb:us-east-1:<account id>:table/awslimits_limits",
                "arn:aws:dynamodb:us-east-1:<account id>:table/awslimits_sent_alerts"
            ]
        }
    ]
}

Any feedback about the deployment is welcome (feature requests too!)

@jantman
Copy link
Author

jantman commented Dec 23, 2016

No need to be sorry, I know it's a really young project. I'm just really interested in checking it out!

Cool, thanks! As far as I can tell, that covers pretty much everything I'd want to know... or at least gives me enough info about how you're running it to come up with a starting point.

I'm actually on vacation for the next week or so, so I'll probably come back to this in 2017 and spin up a demo, and see what the folks at $WORK think about it...

Thanks so much for the info!

@xinghan666
Copy link

Can I use the support API without Enterprise support?

@hltbra
Copy link
Contributor

hltbra commented Apr 29, 2019

It seems that Business or Enterprise support is necessary to have access to the Support API, @xinghan666: https://docs.aws.amazon.com/awssupport/latest/user/Welcome.html

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants